For people involved with the distribution of medically underwritten
insurance products, stories about hacking of big corporate databases may
seem a little bit like reports of a few cases of Ebola cropping up on
some distant continent.

Too bad for those folks, but you have appointments to remember and
sales quotas to meet.

When Anthem Inc. (NYSE:ANTM) announced late Wednesday that it had
detected an intrusion into one of its major databases, that was like
seeing contagion control personnel in hazmat suits parking in your
neighbor's driveway.

Anthem has teams of compliance lawyers to understand the privacy
and data security provisions in the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the Health Information Technology
for Economic and Clinical Health Act (HITECH) Act, which was part of the
American Recovery and Reinvestment Act of 2009. Anthem also has teams of
information technology specialists to apply its knowledge of HIPAA and
the HITECH Act.

You may have to rely on whatever help insurers and technology
vendors are giving you, along with the wise counsel of the techie
sister-in-law who helped you set up your WiFi network.

Meanwhile, hacked health records can sell for more than $10 each,
and sometimes for as much as $1,300 each.

Insurers may have insulated you from the hazards of holding
anything that HIPAA defines as "protected health information"
(PHI) by re-working its underwriting procedures. If not, you could find
that performing a task as simple as asking prospects and clients to fill
out a simple screening questionnaire could expose you to unexpected
risks.

The Centers for Medicare & Medicaid Services (CMS), an arm of
the U.S. Department of Health and Human Services (HHS), has created a
10-page packet to help organizations determine whether they are
"covered entities" for HIPAA purposes.

Most health plans are covered entities, and CMS has been getting
serious about applying HIPAA privacy rules to health plans.

Some companies that look like something other than health plans may
be covered entities in some situations. In other situations, they and
their affiliates may act as "business associates," or entities
that use PHI and have to meet roughly the same privacy and data security
requirements that health plans must meet.

In theory, a business associate that violated the HIPAA rules could
face a civil penalty of up to $50,000 per violation. An associate found
guilty of willful neglect and a failure to address a problem promptly
could face a civil penalty of as much as $1.5 million per violation.

2. The HHS Office of Civil Rights could be starting "Phase
2" audits any day.

CMS and HHS have applied the PHI rules to business associates since
2003, but, in practice, the HIPAA compliance enforcement body, the HHS
Office for Civil Rights (OCR), has focused "Phase 1" audits on
covered entities, not business associates.

OCR officials began getting official approvals for the paperwork
they would need to conduct "Phase 2" audits, or audits of
insurance agents and other business associates, about a year ago.

OCR officials decided to wait until they had set up an information
submission Web portal to start the audits, but HIPAA compliance
specialists say the Phase 2 audits could begin at any time.

See also: Phase 2 HIPAA audits

3. At one point, the HHS office in charge of the Phase 2 audits had
lousy data security.

If OCR investigators do audit your business, one risk for you is
that the investigators could collect sensitive information about you and
your business, and that hackers could then get that information from the
OCR investigators' computers.

Officials with the Office of Inspector General at HHS reported in
December 2013 that the OCR staff failed to comply with federal
risk-management requirements for the three computer systems they used to
do their own work.

In the past, many of those emails looked as if they were from
senders who were up to no good.

Today, many senders of unsavory email have learned how to compose
emails that look like real emails from a recipient's credit card
issuer, employer help desk or friends. The senders may have the victims
fooled long enough to get the victims to click on one or more dangerous
links.

See also: 5 big cyber threats for small businesses

5. Users are getting around onerous security precautions by using
work-arounds that could render all of those sophisticated (but highly
annoying) precautions useless.

Systems companies are trying to use sophisticated identity
verification systems to reduce the risk of cyber attacks, but the
awkwardness of using those systems may lead to behaviors that increase
systems' vulnerability.

Many companies, for example, now require users to create tricky
passwords that include lowercase letters, uppercase letters, punctuation
marks and special symbols.

Some users cope by repeatedly re-using the same passwords for
different systems. A hacker that finds one user password may find that
it leads to entry into many different systems.

In other cases, companies are finding that users forget passwords
so often that the companies now advise the users "to write the
password down in a safe place."If that safe place happens to be a
paper note next to the user's computer, in the user's upper
desk drawer, or in a file on the user's virtual computer desktop,
that may leave the user's accounts vulnerable to snoopers who have
access to the user's office.

See also: New York: Join Security Information Program

COPYRIGHT 2015 ALM Media, LLC
No portion of this article can be reproduced without the express written permission from the copyright holder.